Pods are assigned ENI IPs which are directly routable in the AWS VPC. This
simplifies communication of pod traffic within VPCs and avoids the need for
SNAT.

Pod IPs are assigned a security group. The security groups for pods are
configured per node which allows to create node pools and give different
security group assignments to different pods. See section AWS ENI for
more details.

The pod’s network namespace contains a default route which points to the
node’s router IP via the veth pair which is named eth0 inside of the pod
and lxcXXXXXX in the host namespace. The router IP is allocated from the
ENI space, allowing for sending of ICMP errors from the router IP for Path
MTU purposes.

After passing through the veth pair and before reaching the Linux routing
layer, all traffic is subject to Cilium’s BPF program to enforce network
policies, implement load-balancing and provide networking features.

An IP routing rule ensures that traffic from individual endpoints are using
a routing table specific to the ENI from which the endpoint IP was
allocated:

30: from 192.168.105.44 to 192.168.0.0/16 lookup 92

The ENI specific routing table contains a default route which redirects
to the router of the VPC via the ENI interface:

ipam:eni Enables the ENI specific IPAM backend and indicates to the
datapath that ENI IPs will be used.

blacklist-conflicting-routes:"false" disables blacklisting of local
routes. This is required as routes will exist covering ENI IPs pointing to
interfaces that are not owned by Cilium. If blacklisting is not disabled, all
ENI IPs would be considered used by another networking component.

auto-create-cilium-node-resource:"true" enables the automatic creation of
the CiliumNode custom resource with all required ENI parameters. It is
possible to disable this and provide the custom resource manually.

egress-masquerade-interfaces:eth+ is the interface selector of all
interfaces which are subject to masquerading. Masquerading can be disabled
entirely with masquerade:"false".

See the section AWS ENI for details on how to configure ENI IPAM
specific parameters.